Who your friends are says a lot about you. And in our ever-more digital world, public knowledge of who they are may be a major security risk to you. This risk has been spotlighted once again with the recent scandal of US national security adviser Michael Waltz’s exposed Venmo Friends List. Venmo, a popular American mobile payment app owned by PayPal, allows the user to sync contacts from their phones directly into the app as “friends”. These friends then populate the user’s “Friends List” within the app, letting the user easily transact with their existing contacts without asking for their Venmo accounts. While it may seem common and user-friendly for apps to import contacts from your phone, the social media aspect of Venmo makes this feature dangerous because your Friends List, i.e. all your contacts, is by default public as well as your transactions.
This is how Wired investigative journalists Dhruv Mehrota and Tim Marchman discovered Waltz’ Venmo Friends List. Since he had left it as public, the whole world now knows his phone book, including his high profile colleagues such as White House Chief of Staff Susie Wiles and personal contacts such as doctors and real estate agents. These exposed relationships, especially the personal ones, are the “patterns, pressure points, or a way in” that spies look for. Mehrota and Marchman spell out the danger of privacy defaults of a feature such as Venmo’s Friends List: by making relationships public and visible, these platforms “potentially [give] adversaries a searchable map of the people around power.”
What’s most alarming though, is that Waltz’s Friends List was not exposed by highly technical hackers, but was revealed by the Wired journalists who simply used the native search function in Venmo. Meaning, me, you, and the average Joe can do the same type of investigation (or deep stalking) with our own Venmo accounts on other people’s public Friends Lists because of the app’s poor UIUX design choices and default privacy settings. This is exactly why product teams need to care about the data footprint left by a product, to understand what sensitive user relationships or metadata are stored or displayed by default.
The key method to uncover data footprint is through a digital forensics analysis of the product. Digital forensics “is a branch of forensic science that focuses on identifying, acquiring, processing, analysing, and reporting on data stored electronically.” In other words, digital forensics helps us understand what digital evidence is left behind by digital and electronic products. Although most often used by law enforcement and in corporate incident response, digital forensics can be a valuable tool for product teams to identify security and privacy blind spots, such as Venmo defaulting Friends List as public.
In light of this incident, I went back to a white paper I wrote on Venmo’s iOS digital forensics back in 2021 for my university cybersecurity course. In my analysis, I uncovered the types of data stored by Venmo and where they were stored in a user’s iPhone. Take the feature Friends List for example. Wired investigative journalists were able to find the names and their Venmo accounts in Waltz’s Friends List within the UI. However, there is a lot more data from the Friends List feature that would be stored in any user’s phone. I found lists of phone numbers of the friends, the friends who the user most often transact with, and even accounts who are not the user’s friends but have transaction histories with the user. The bread crumbs left behind are enough to piece together who the user’s contacts are, how to reach them, how close they are with the user, who is in the users’ peripheral network, and what the user likes to buy.
Chilling, isn’t it, for a stranger to find out so much about you just from your Venmo. But perhaps what would really send the chill down your spine is that Venmo was made aware of the security risks of exposing users’ transactions and Friends List back in 2019 through an open letter by Mozilla and the Electronic Frontier Foundation (EFF). They pleaded for Venmo to 1) make transactions private by default, and 2) give users privacy settings for their Friend List. The company, however, made no immediate actions following the open letter. It was only until 2021 when BuzzFeed News revealed how easy it was to find former president Joe Biden on the app that Venmo finally gave users the option to hide Friends List, complying with only Point 2 in the open letter. Venmo knowingly put their users at risk for two years, and even now six years later, the company still has yet to make transactions and Friends List private by default.
“Venmo’s disregard for its users’ privacy”, as criticised by Mozilla and EFF, would make consumers lose trust in the digital products they use everyday, and would turn them away from these products and companies who failed to respect and protect their users’ security and privacy.
This is why product teams need to see privacy as a business strategy, not a compliance obligation. Cory Munchbach, CEO of customer data platform BlueConic, states that “[t]he brands that prioritise privacy today will gain customer loyalty tomorrow.” She understands that privacy is “a driving force for earning consumer trust” and even a brand differentiator. By incorporating privacy into value propositions, companies can “turn [privacy] from a risk to be managed into a growth driver”.
To read the full Venmo iOS Forensics White Paper I wrote in 2021 for my iOS Digital Forensics Course at the University of Southern California (USC), click here.